we are facing packet drop issue on ipsec traffic once the ecmp is enabled .
we have two ISP and wish to balance the traffic and using balanced round robbin for the same , once this is enabled ipsec packet drop occurs and if we disable ecmp everything is fine .
The first internet line is lease line on which the ipsec is terminated and the other line is ADSL i.e. dynamic IP .
i am suspecting , since the ecmp is enabled the traffic is going from adsl line and the return traffic is coming on lease line and getting dropped by FW .
please advise if there is any solution for this senario... if i ebale IP modulo or IP hash for ECMP will this resolve the issue or PBF for symetric return ??
how did you configure the vpn exactly? is it bound to a loopback or the physical interfaces
IP modulo/hash should help the connection be 'sticky' to a single link and only switch when the link goes down
PBF will not be an option as you can't control system sourced connections through pbf
thank you ..but m kind of confuse here.. when you say...if the VPN is bound to the physical interface of the leased line, you should also be able to add a static route for the remote peer pointed to the next hop on the leased line (metric 1)...
the destination is private IP or public ip of remote peer ? ...the next hope will be the ISP router IP of lease line ?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!